location compatibility with allow_other_host

[boardfish]

When raise_on_open_redirects is enabled in Rails config, redirect_to now raises UnsafeRedirectError in case the host of the redirect location does not match that of the current request. It's ordinarily possible when using redirect_to to specify allow_other_host: true to prevent this error from being raised in situations where UnsafeRedirectError did not need to be raised.

However, if the location param is used, it isn't possible to do this - the redirect path is expected as a single variable.

This does not work:

respond_with @thing, location: redirect_path, allow_other_host: true

I also attempted this:

respond_with @thing do |format|
  format.html { redirect_to redirect_path, allow_other_host: true }
end

But this causes a regression in that I'm reliant on respond_with's handling of an invalid record, particularly the error flash.

I'm happy to look into a fix for this myself, but I could perhaps do with some guidance. I think all we might need is to pluck allow_other_host from options and pass this into this call, but we may have room to afford ourselves something more flexible than that.

[jotolo]

Hey @boardfish , did you manage to find any working workaround to this issue?

[boardfish]

Afraid not, sorry – the instance where our code was falling foul of UnsafeRedirectError with respond_with was a one-off that we decided against fixing a couple of weeks after I raised this issue.